ویژگی جعل هویت با استفاده از Rails و NextJS

class CreateImpersonations < ActiveRecord::Migration[7.0]
  def change
    create_table :impersonations do |t|
      t.references :user, null: false, foreign_key: true
      t.references :admin_user, null: false, foreign_key: true
      t.string :token, null: false
      t.datetime :exchange_before, null: false
      t.boolean :used, null: false, default: false

      t.timestamps
    end

    add_index :impersonations, :token, unique: true
  end
end

class Impersonation < ApplicationRecord
  SESSION_DURATION = 20.minutes

  belongs_to :user
  belongs_to :admin_user

  validates :token, presence: true, uniqueness: true
  validates :exchange_before, presence: true

  scope :current, -> { where(used: false).where('exchange_before >= ?', Time.current) }

  def mark_used!
    update!(used: true)
  end

  def session_duration
    SESSION_DURATION
  end
end

# app/admin/users.rb

ActiveAdmin.register User do
  ...

  member_action :impersonate, method: :post do
    user = User.find(params[:id])

    impersonator = Users::Impersonations::Initiator.new(user: user,
                                                        admin_user: current_admin_user)
    impersonator.initiate!
    redirect_url = impersonator.redirect_url

    redirect_to redirect_url, allow_other_host: true
  end

  action_item :impersonate, only: :show do
    link_to('Impersonate', impersonate_admin_user_path(resource),
            method: :post, target: '_blank', rel: 'noopener')
  end
end

# This class builds a url that to allow an admin user to impersonate a user.
# It creates a temporary token that the frontend will exchange for a more permanent JWT
# in a subsequent call.
# Since this temporary token travels in the query params, it is insecure and therefore
# only valid for a couple minutes and can be used only once.

module Users
  module Impersonations
    class Initiator
      EXCHANGE_EXPIRES_IN = 2.minutes

      def initialize(user:, admin_user:)
        @user = user
        @admin_user = admin_user
      end

      def initiate!
        ::Impersonation.create!(user: user,
                                admin_user: admin_user,
                                token: token,
                                exchange_before: EXCHANGE_EXPIRES_IN.from_now)
      end

      def redirect_url
        base_url = URI.parse(frontend_url)
        base_url.path = '/impersonate'
        base_url.query = { token: token }.to_query

        base_url.to_s
      end

      private

      attr_reader :user, :admin_user

      def token
        @token ||= SecureRandom.hex(32)
      end

      def frontend_url
        ENV.fetch('FRONTEND_URL', 'https://app.village.com')
      end
    end
  end
end

// src/pages/impersonate/index.js

import * as userActions from "../../../store/actions/userActions";

const ImpersonatePage = () => {
  const dispatch = useDispatch();
  const router = useRouter();
  const madeRequest = useRef(false);

  useEffect(() => {
    const impersonate = async () => {
      const token = router.query.token;

      if(madeRequest.current) {
        return;
      }

      if (token) {
        madeRequest.current = true;

        await dispatch(userActions.logout({ skipToast: true })); 
        await dispatch(userActions.impersonate(token));
      }

      router.replace("/");
    };

    impersonate();
  }, [router.query.token]);

  return (
    <Head>
      <title>MyApp | Impersonating</title>
    </Head>
  );
};

export default ImpersonatePage;

// store/actions/userActions.js

...

export const impersonate = (token) => async (dispatch, getState) => {
  const gqlQuery = {
    query: `
      mutation ImpersonateUser($token: String!) {
        impersonateUser(token: $token) {
          errors
          user {
            id 
            jwt
            name
            email
          }
        }
      }
    `,
    variables: {
      token,
    },
  };

  try {
    const data = await helper(gqlQuery);
    const responseData = data.impersonateUser;
    const errors = responseData.errors;
    const userData = responseData.user;

    if (!errors && userData) {
      dispatch({
        type: USER_IMPERSONATION,
        userInfo: userData,
      });

      await handleSuccessfulUserLogin(dispatch, getState, userData); // Do your thing here...
    } else {
      dispatch({
        type: USER_IMPERSONATION_FAIL,
        errors: errors,
      });

      errorMessageExtractor(errors);
    }
  } catch (err) {
    dispatch({
      type: USER_IMPERSONATION_FAIL,
      errors: err,
    });

    handleServerErrors(err);
  }
};

# app/graphql/mutations/user/impersonate_user.rb

# Given a temporary impersonation token,
# allows retrieving a CurrentUser (and its corresponding longer-lasting JWT)

module Mutations
  module User
    class ImpersonateUser < Mutations::BaseMutation
      argument :token, String, required: true

      field :user, Types::CurrentUserType, null: true
      field :errors, Types::JsonType, null: true

      def resolve(token:)
        impersonator = ::Users::Impersonations::Authenticator.new(impersonation_token: token)
        impersonator.authenticate

        return { errors: impersonator.errors } unless impersonator.success?

        context[:current_user] = impersonator.user
        context[:impersonation] = impersonator.impersonation

        { user: impersonator.user }
      end

      def self.authorized?(_object, _context)
        true # needed because my BaseMutation requires a signed in user by default, so we're overriding. 
      end
    end
  end
end

# app/graphql/types/current_user_type.rb

module Types
  class CurrentUserType < ApplicationRecordType
    field :id, ID, null: false
    field :name, String, null: false
    field :email, String, null: false

    field :jwt, String, null: true

    def jwt
      if context[:impersonation].present?
        AuthToken.token(object, expires_in: context[:impersonation].session_duration)
      else
        AuthToken.token(object)
      end
    end

    def self.authorized?(object, context)
      context[:current_user] == object
    end
  end
end

# spec/controllers/admin/users_controller_spec.rb

RSpec.describe Admin::UsersController do
  render_views
  let(:page) { Capybara::Node::Simple.new(response.body) }

  describe 'GET show' do
    subject(:make_request) { get :show, params: { id: user.id } }
    let!(:user) { create(:user) }
    before do
      login_admin
    end

    it 'renders the user info and button to impersonate', :aggregate_failures do
      make_request

      expect(response).to have_http_status(:success)

      expect(page).to have_content(user.first_name)
      expect(page).to have_content(user.last_name)
      expect(page).to have_content(user.email)

      expect(page).to have_link('Impersonate', href: impersonate_admin_user_path(user))
    end
  end
end 

# spec/concepts/users/impersonations/initiator_spec.rb

RSpec.describe Users::Impersonations::Initiator do
  let(:initiator) { described_class.new(user: user, admin_user: admin_user) }

  let(:user) { create(:user) }
  let(:admin_user) { create(:admin_user) }

  before do
    ENV['FRONTEND_URL'] = 'https://my-frontend.com'
  end

  after do
    ENV['FRONTEND_URL'] = nil
  end

  it 'creates an impersonation and exposes a redirect url' do
    expect {
      initiator.initiate!
    }.to change(Impersonation, :count).by(1)

    impersonation = Impersonation.last

    expect(impersonation.user).to eq(user)
    expect(impersonation.admin_user).to eq(admin_user)
    expect(impersonation.token).to be_present
    expect(impersonation.exchange_before).to be_present

    expect(initiator.redirect_url)
      .to eq("https://my-frontend.com/impersonate?token=#{impersonation.token}")
  end
end

# spec/graphql/mutations/user/impersonate_user_spec.rb

RSpec.describe Mutations::User::ImpersonateUser, type: :request do
  subject(:make_request) do
    make_graphql_request(
      query: query,
      variables: variables
    )
  end

  let(:user) { nil }

  let(:query) do
    <<-GRAPHQL
      mutation impersonateUser($token: String!) {
        impersonateUser(token: $token) {
          errors
          user {
            email
            jwt
            isVerified
          }
        }
      }
    GRAPHQL
  end

  let(:variables) do
    {
      token: impersonation_token
    }
  end

  let(:impersonation_token) { 'sometoken' }

  let(:authenticator_double) do
    instance_double(Users::Impersonations::Authenticator,
                    authenticate: nil,
                    success?: true,
                    errors: nil,
                    user: impersonated_user,
                    impersonation: stubbed_impersonation)
  end

  let(:stubbed_impersonation) { create(:impersonation, user: impersonated_user) }
  let(:impersonated_user) { create(:user) }

  before do
    allow(Users::Impersonations::Authenticator)
      .to receive(:new).with(impersonation_token: impersonation_token)
      .and_return(authenticator_double)

    allow(AuthToken).to receive(:token)
      .with(impersonated_user, expires_in: 20.minutes)
      .and_return('somejwt')
  end

  it 'returns verified user' do
    make_request

    expect(json_body.dig('impersonateUser', 'errors')).to be_nil
    expect(json_body.dig('impersonateUser', 'user', 'jwt')).to eq('somejwt')
    expect(json_body.dig('impersonateUser', 'user', 'email')).to eq(impersonated_user.email)
  end

  context 'when the authenticator returns an error' do
    let(:error_message) { 'some error' }

    let(:authenticator_double) do
      instance_double(Users::Impersonations::Authenticator,
                      authenticate: nil,
                      success?: false,
                      errors: { impersonationToken: error_message })
    end

    it 'returns the error' do
      make_request

      expect(json_body.dig('impersonateUser', 'errors', 'impersonationToken')).to eq(error_message)
      expect(json_body.dig('impersonateUser', 'user')).to be_nil
    end
  end
end

# spec/concepts/users/impersonations/initiator_spec.rb

RSpec.describe Users::Impersonations::Initiator do
  let(:initiator) { described_class.new(user: user, admin_user: admin_user) }

  let(:user) { create(:user) }
  let(:admin_user) { create(:admin_user) }

  before do
    ENV['FRONTEND_URL'] = 'https://village-frontend.com'
  end

  after do
    ENV['FRONTEND_URL'] = nil
  end

  it 'creates an impersonation and exposes a redirect url' do
    expect {
      initiator.initiate!
    }.to change(Impersonation, :count).by(1)

    impersonation = Impersonation.last

    expect(impersonation.user).to eq(user)
    expect(impersonation.admin_user).to eq(admin_user)
    expect(impersonation.token).to be_present
    expect(impersonation.exchange_before).to be_present

    expect(initiator.redirect_url)
      .to eq("https://village-frontend.com/impersonate?token=#{impersonation.token}")
  end
end

app/concepts/users/impersonations/cleaner_worker.rb

# Removes expired or already used impersonation tokens in order to free database space.

module Users
  module Impersonations
    class CleanerWorker
      include Sidekiq::Worker

      def perform
        ::Impersonation.no_longer_valid.destroy_all
      end
    end
  end
end

  scope :no_longer_valid, -> { where(used: true).or(where('exchange_before < ?', Time.current)) }

RSpec.describe Users::Impersonations::CleanerWorker do
  let(:worker) { described_class.new }

  let!(:expired_impersonation) { create(:impersonation, :expired) }
  let!(:used_impersonation) { create(:impersonation, :used) }
  let!(:valid_impersonation) { create(:impersonation) }

  it 'removes expired or already used impersonation tokens' do
    expect {
      worker.perform
    }.to change(Impersonation, :count).by(-2)

    expect(Impersonation.all).to contain_exactly(valid_impersonation)
  end
end